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EXECUTIVE  SUMMARY 


The  design  of  defense  nuclear  facilities  includes  systems  whose  reliable  operation  is  vital 
to  the  protection  of  the  public,  workers,  and  the  environment.  Confinement  ventilation  systems 
are  among  the  most  important  of  such  systems  for  protecting  the  public,  and  are  generally  relied 
upon  as  the  final  safety-class  barrier  to  the  release  of  hazardous  materials  with  potentially 
serious  public  consequences.  The  Defense  Nuclear  Facilities  Safety  Board  (Board)  has  advised 
the  Department  of  Energy  (DOE)  in  various  ways  during  the  past  decade  regarding  the  need  to 
increase  attention  to  the  design  and  operational  reliability  of  these  important  systems. 

The  Board,  however,  has  recently  observed  a  fundamental  change  in  the  approach  to 
protection  of  the  public  at  certain  defense  nuclear  facilities.  This  change  has  resulted  in 
downgrading  of  the  functional  safety  classification  of  confinement  ventilation  systems. 
Specifically,  DOE  contractors  operating  or  designing  defense  nuclear  facilities  have,  through  a 
strong  reliance  on  analytical  estimates  of  passive  leakage,  prepared  safety  bases  that  have 
resulted  in  downgrading  and  sometimes  elimination  of  the  safety-class  function  of  confinement 
ventilation  systems.  This  approach  can  potentially  result  in  the  unfiltered  release  of  air 
containing  radioactive  materials  during  an  accident. 

This  report  describes  this  misuse  of  DOE  requirements,  which  provides  only  minimum 
levels  of  required  protection  to  the  public.  The  report  also  compares  this  approach  with  the 
traditional  approach  of  using  a  safety-class  confinement  ventilation  system;  hence,  minimizing 
more  effectively  any  off-site  radiological  impact. 

In  addition,  this  report  demonstrates  that  analytical  tools  used  to  predict  passive  leakage 
do  not  account  for  many  of  the  uncertainties  involved  (e.g.,  the  dynamics  of  the  event,  diurnal 
effects,  wind,  emergency  evacuation  or  egress).  Passive  leakage  analyses  often  do  not  consider 
all  of  the  issues  that  must  be  addressed  should  an  accident  occur.  These  include  monitoring  of 
releases,  limiting  contamination,  and  supporting  accident  recovery.  These  uncertainties  and 
additional  considerations  further  justify  a  preference  for  a  safety-class  confinement  ventilation 
system  as  the  primary  means  of  protecting  the  public  against  the  potential  release  of  radioactive 
material. 

In  light  of  these  observations,  DOE  needs  to  provide  additional  guidance  and  explicitly 
state  its  policy  regarding  adequate  protection  of  the  public  and  workers  by  mandating  a  safety- 
related  active  confinement  ventilation  system  for  those  defense  nuclear  facilities  that  pose  the 
potential  for  significant  radiological  consequences. 
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1.  INTRODUCTION  AND  BACKGROUND 


A  principal  risk  to  the  health  and  safety  of  the  public  and  workers  from  defense  nuclear 
facilities  is  the  release  and  dispersal  of  radioactive  materials.  Prevention  of  such  release  and 
dispersal  is  an  important  function  of  confinement  systems.  This  vital  function  has  been  the  focus 
of  numerous  reviews  conducted  by  the  Defense  Nuclear  Facilities  Safety  Board  (Board)  during 
the  past  decade. 

On  May  31,  1995,  the  Board  transmitted  to  the  Department  of  Energy  (DOE)  the  results 
of  a  2-year  study  on  the  confinement  ventilation  systems  in  the  defense  nuclear  complex  in 
DNFSB/TECH-3,  Overview  of  Ventilation  Systems  at  Selected  DOE  Plutonium  Processing  and 
Handling  Facilities.  In  a  subsequent  letter  dated  June  15, 1995,  the  Board  requested  that  DOE 
provide  a  “report  that  evaluates  the  design,  construction,  operation,  and  maintenance  of 
ventilation  safety  systems  at  DOE’s  plutonium  processing  and  handling  facilities  in  terms  of 
applicable  DOE  and  consensus  standards  . . . .”  Although  DOE  took  several  actions  in  response 
to  the  issues  raised  by  the  Board,  the  Board  believed  that  the  important  safety  function  of 
confinement  required  more  attention  by  DOE.  Consequently,  the  Board  issued  Recommendation 
2000-2,  Configuration  Management,  Vital  Safety  Systems,  on  March  8,  2000. 

These  efforts  by  the  Board  have  helped  DOE  improve  the  reliability  of  confinement 
ventilation  systems.  In  some  instances,  degraded  components  have  been  identified  and  repaired 
or  upgraded;  in  other  instances,  design  deficiencies  have  been  discovered  and  corrected.  The 
Board  expects  DOE  to  continue  this  assessment  and  improvement  process.  Such  continued 
vigilance  is  needed  to  maintain  and  improve  the  reliability  of  important  safety  systems. 

Despite  these  efforts  by  the  Board  to  improve  the  reliability  of  confinement  ventilation 
systems  at  defense  nuclear  facilities,  continued  erosion  has  been  observed  in  recent  years  in 
maintaining  high  expectations  for  the  design  and  maintenance  of  such  systems.  Several  DOE 
contractors  have  conducted  analytical  modeling  of  passive  leakage  from  existing  facilities  during 
accident  scenarios  to  demonstrate  that  off-site  doses  fall  below  DOE’s  evaluation  guideline,  and 
subsequently  used  this  approach  to  downgrade  the  safety  classification  of  the  confinement 
ventilation  systems.  Additionally,  proposed  conceptual  or  preliminary  designs  for  several  new 
facilities  have  used  passive  confinement  as  the  credited  safety  approach,  again  relying  on 
calculations  of  passive  leakage  to  demonstrate  that  off-site  doses  remain  below  DOE’s 
evaluation  guideline. 

Unfortunately,  as  demonstrated  in  this  report,  the  analytical  calculation  of  a  value  for  the 
unfiltered  leakage  from  a  passive  structural  confinement  system  is  very  subjective,  dominated  by 
the  uncertainties  in  the  computer  programs  and  the  analytical  tools.  Calculations  reviewed  by 
the  Board  have  not  analyzed  all  of  the  important  phenomena  and  evaluated  the  impact  of  all  of 
the  key  assumptions.  More  importantly,  several  key  assumptions  are  impossible  to  maintain 
during  a  real  accident,  due  to  the  unpredictability  of  the  required  actions  by  the  emergency  crews 
responding  to  the  event. 
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As  outlined  in  DOE’s  requirements,  should  the  unmitigated  off-site  dose  from  an 
accident  challenge  DOE’s  evaluation  guideline  of  25  rem  total  effective  dose  equivalent,  those 
systems  relied  upon  to  prevent  or  mitigate  the  release  are  to  be  classified  as  safety-class. 
Consistent  with  good  practice,  the  most  effective  confinement  (especially  for  nuclear  material 
processing  activities)  is  generally  provided  by  a  confinement  ventilation  system.  Rather  than  a 
design  requirement  to  confine  the  radioactive  materials,  some  contractor  safety  analysts  use  a 
design  criterion  that  allows  the  public  dose  to  be  any  amount  below  25  rem.  Using  this  approach 
for  a  new  facility  and  designing  controls  to  a  25  rem  design  criterion  represents  a  significant 
change  in  DOE’s  approach  to  protection  of  the  public.  For  facilities  with  the  potential  for 
significant  radiological  insult  to  the  public,  the  confinement  ventilation  system  would  need  to  be 
classified  as  safety-class.  Similarly,  a  safety-significant  confinement  ventilation  system  should 
be  identified  to  protect  workers  from  significant  consequences. 

Section  2  of  this  report  describes  the  advantages  and  disadvantages  of  active  and  passive 
confinement  systems  and  demonstrates,  through  the  evaluation  of  a  case  study,  the  uncertainties 
associated  with  the  lack  of  active  safety-class  confinement  ventilation  systems  at  defense  nuclear 
materials  processing  facilities.  Section  3  reviews  the  evolution  of  confinement  requirements  in 
the  nuclear  industry  and  the  apparent  shift  in  the  approach  to  protecting  the  public  as  illustrated 
by  recent  proposals  to  rely  on  passive  instead  of  active  confinement.  The  final  section  presents 
conclusions. 
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2.  ACTIVE  VERSUS  PASSIVE  CONFINEMENT 


Confinement  of  hazardous  materials  during  normal  operation  and  potential  accidents 
should  be  based  on  the  first  principles  of  systems  engineering.  That  is,  the  system  designed  for  a 
certain  function  should  be  capable  of  performing  the  intended  function.  Consequently,  the 
decision  to  use  an  active  or  passive  confinement  feature  should  be  based  on  the  type  of  activity 
or  event  that  is  being  confined  by  such  a  system.  Using  this  principle,  for  example,  would  lead 
to  the  use  of  passive  confinement  (or  containment)  systems  for  activities  (such  as  storage)  with 
hazardous  materials  that  have  no  source  of  energy  for  releasing  the  materials.  On  the  other  hand, 
confinement  of  hazardous  materials  released  by  a  fire  or  explosion  should  use  active 
confinement  systems  capable  of  counteracting  the  energy  of  the  event. 


2.1  ACTIVE  CONFINEMENT  SYSTEMS 

These  systems  are  also  known  as  confinement  ventilation  systems  since  it  is  the 
ventilation  system  that  provides  the  active  function.  (Note  that  the  discussion  in  this  report  is 
limited  to  the  purpose  and  intended  function  of  ventilation  systems  as  they  relate  to  confining 
hazardous  materials.)  These  systems  may  consist  of  air  supply,  recirculating  air,  process 
ventilation,  and  exhaust  air  systems,  together  with  associated  air  filters,  fans,  dampers,  ducts, 
control  instrumentation,  and  supporting  systems  (such  as  power  supply  and  facility  structure). 
DOE  Handbook  1 169-2003,  Nuclear  Air  Cleaning  Handbook,  is  an  excellent  reference  for  the 
parameters  that  should  be  considered  in  the  design  and  operation  of  such  systems. 

Active  confinement  systems  are  used  during  normal  operations  to  confine  hazardous 
materials  closest  to  the  source  and  thus  protect  workers  from  exposure  to  such  materials.  The 
ventilation  flow  is,  therefore,  designed  using  a  cascading  system  that  starts  with  clean  air  (e.g., 
from  outside  the  building  or  from  hallways  and  office  spaces);  through  the  laboratories  or  rooms 
where  the  activities  are  performed;  through  the  gloveboxes,  tanks,  or  vessels  where  the  highest 
concentrations  of  the  hazardous  materials  may  exist;  and  out  to  the  environment  through  a  set  of 
high-efficiency  particulate  air  (HEP A)  or  sand  filters.  Such  a  cascading  system  can  still  be  as 
effective  during  an  accident  as  it  is  during  normal  operations  if  the  system  remains  intact  and 
operating. 

Potential  operational  accidents  (e.g.,  spills,  fires,  and  explosions)  may  release  hazardous 
radioactive  materials  outside  the  intended  area  (e.g.,  glovebox)  and  into  a  room  or  laboratory. 
An  active  confinement  system  is  usually  designed  to  direct  air  contaminated  by  such  releases 
into  the  ducts  and  through  the  HEPA  (or  sand)  filters  before  it  enters  the  environment,  provided 
the  ventilation  system  remains  intact  during  the  event.  This  function  is  provided  immediately  at 
the  release  point,  thus  preventing  hazardous  materials  from  flowing  upstream  and  exiting  the 
facility.  There  is  little  chance  of  radioactive  materials  being  spread  to  the  rest  of  the  facility  or 
carried  untreated  to  the  outside  because  of  the  cascading  effect  of  the  active  ventilation  system. 
This  confinement  function  of  an  active  ventilation  system  will: 
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•  Protect  those  facility  workers  not  in  the  immediate  vicinity  of  the  accident  from 
being  exposed  to  the  hazardous  material. 

•  Allow  facility  workers  to  exit  the  facility  through  the  closest  emergency  egress, 
consistent  with  life  safety  code  provisions,  while  minimizing  the  release  of 
radioactive  materials  to  the  environment. 

•  Confine  the  contamination  locally  and  minimize  the  spread  of  contamination 
throughout  the  facility,  easing  associated  cleanup  efforts. 

•  Protect  that  portion  of  the  facility  not  involved  in  the  accident  from  its 
consequences,  thus  protecting  the  ability  of  the  facility  to  accomplish  its  mission  and 
meet  its  national  security  commitments. 

•  Allow  the  emergency  crew  more  flexibility  to  access  the  facility  through  their 
preferred  access  doors  and  take  appropriate  action  in  a  timely  and  effective  manner. 

•  Allow  for  an  assessment  of  the  hazardous  environment  that  the  emergency  crew 
would  be  entering  through  the  sampling  of  air  drawn  from  the  accident  area. 

•  Allow  for  an  assessment  of  the  radioactive  material  leaving  the  facility  (e.g.,  through 
stack  monitoring). 

•  Direct  air  containing  radioactive  materials  through  the  HEPA  or  sand  filters  before 
any  release  to  the  environment,  substantially  reducing  (e.g.,  by  about  four  orders  of 
magnitude  from  HEPA  filters)  any  public  exposure  to  the  consequences  of  the 
accident. 

A  safety-related  active  confinement  ventilation  system  that  is  identified  in  a  facility’s 
safety  basis  as  mitigating  the  dose  consequences  of  an  event  must  be  effective  during  certain 
normal  and  abnormal  conditions  and  meet  a  number  of  functional  requirements.  These 
requirements  include  maintaining  a  certain  negative  pressure  with  respect  to  the  outside 
atmosphere  in  a  cascading  manner  to  ensure  that  the  flow  of  air  would  be  directed  from  cleaner 
areas  to  more  contaminated  ones.  Meeting  this  requirement  necessitates  limiting  the  size  of 
facility  leakage  paths  (e.g.,  cracks  around  doors  and  penetrations)  to  a  very  small  value. 
Unfiltered  leakage  of  air  containing  radioactive  materials  following  an  accident  is  not  expected  if 
the  active  confinement  system  is  designed  properly  (i.e.,  considers  potential  leak  paths),  remains 
intact,  and  continues  to  operate.  However,  if  the  active  system  is  not  designed  to  remain 
operational  during  accident  conditions,  these  same  leak  paths  could  exist  during  the  event  and 
would  be  combined  with  those  created  by  emergency  access  to  or  egress  from  the  building 
through  temporary  opening  of  the  doors. 
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Other  functional  requirements  may  include  effective  filtration  of  the  materials  released 
during  a  fire.  Active  confinement  ventilation  systems  must  be  capable  of  operating  during  a  fire 
and  filtering  the  hazardous  materials  out  through  the  use  of  HEP  A  or  sand  filters.  The  fire  may 
release  particles  and  combustion  products  that  could  clog  the  filters  and  prevent  them  from 
performing  their  intended  function,  if  not  designed  properly.  Detailed  guidance  regarding  the 
design  requirements  for  protection  against  such  an  event  is  provided  in  DOE  Handbook  1169- 
2003,  Nuclear  Air  Cleaning  Handbook,  and  DOE  Standard  1066-99,  Fire  Protection  Design 
Criteria. 

To  maintain  the  reliability  of  an  active  confinement  ventilation  system  at  a  level  to  ensure 
it  performs  its  safety-related  function  requires  continued  vigilance  on  the  part  of  DOE  and  its 
operating  contractor.  This  necessitates  routine  preventive  maintenance  and  configuration  control 
of  the  associated  system  identified  in  the  facility’s  safety  basis. 

It  should  be  noted  that  an  active  confinement  ventilation  system  would  encompass  the 
features  that  comprise  a  passive  confinement  system.  That  is,  should  power  be  lost  or 
unavailable  to  force  the  air  containing  hazardous  materials  through  the  filters,  the  passive 
confinement  boundaries  would  still  be  available  to  confine  the  hazards  to  a  lesser  degree  as 
discussed  in  the  following  section. 


2.2  PASSIVE  CONFINEMENT  SYSTEMS 

These  systems  are  designed  to  confine  hazards  passively.  They  consist  of  an  identified 
contiguous  boundary  between  the  hazardous  material  and  the  environment.  Such  systems  have 
no  active  components,  and  are  therefore  considered  less  susceptible  to  failure  when  called  upon 
to  function.  The  absence  of  active  components  can  also  lead  to  reduced  installation  and 
maintenance  costs,  although  this  is  not  always  the  case. 

Passive  confinement  systems  are  generally  used  for  storage  of  hazardous  materials  when 
sources  of  energy  do  not  exist  within  the  confinement  area  and  cannot  be  introduced  from  the 
outside  to  interfere  with  the  system’s  intended  function.  For  example,  containers  approved  by 
the  Department  of  Transportation  are  used  for  storage  or  transportation  of  radioactive  materials 
that  are  not  energetic.  These  containers  are  designed  to  prevent  the  introduction  of  external 
energy  sources  that  could  disturb  the  hazardous  materials  from  their  steady-state  condition. 
Less-robust  containers,  such  as  storage  drums  with  HEPA  filters,  may  also  be  used  as  passive 
confinement  barriers  for  storage  of  radioactive  materials  that  lack  the  potential  for  energetic 
events  and  are  not  subject  to  harsh  external  hazards. 

Given  the  perception  of  higher  reliability  and  lower  installation  and  maintenance  costs, 
several  operating  contractors  in  the  defense  nuclear  complex  have  recently  extended  application 
of  the  concept  of  passive  confinement  to  nuclear  processing  facilities.  In  applying  this  concept, 
the  building  structure  and  its  connecting  ports  to  the  outside  (e.g.,  doors,  penetrations,  and  HEPA 
filters)  are  identified  as  the  passive  confinement  system.  The  passive  confinement  system  is 
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credited  with  confining  the  hazards  generated  as  a  result  of  operational  mishaps  or  other 
accidents.  The  facility  ventilation  system  is  not  credited  in  the  safety  bases  as  a  safety-related 
component  of  the  confinement  boundary,  and  its  active  components  are  not  expected  to  remain 
operational  during  an  event.  Therefore,  accidentally  released  hazardous  materials  in  the  facility 
are  captured  by  HEPA  or  sand  filters  only  to  the  extent  that  air  contaminated  with  the  materials 
may  be  passively  forced  to  the  outside  environment  through  these  ports.  Ideally,  during  an 
accident  the  confinement  boundary  remains  intact,  and  there  is  no  unfiltered  release  of  air 
containing  hazardous  material  to  the  environment.  Should  the  confinement  boundary  be 
breached  or  have  existing  leaks,  however,  hazardous  material  will  escape  directly  to  the 
environment,  carried  by  air  that  does  not  pass  through  any  filtration  device. 

The  concept  of  passive  confinement  systems  should  not  be  confused  with  passive  safe 
shutdown.  Although  the  same  systems  and  boundaries  may  be  involved  in  these  two  concepts, 
their  intended  functions  are  quite  different.  The  latter  systems  are  designed  to  temporarily 
confine  the  hazardous  materials  that  may  exist  in  a  facility  (e.g.,  glovebox  contamination  or 
radioactive  materials  staged  in  a  glovebox  or  tank)  in  a  nonactive  operational  mode  (shutdown). 
Under  the  passive  safe  shutdown  concept,  the  intent  is  to  provide  a  confinement  system  that  can 
be  relied  upon  during  a  shutdown  mode.  Operational  activities  that  are  capable  of  disturbing  the 
material  are  prohibited  in  this  mode.  The  hazardous  material  has  to  be  stowed  properly  before 
shutdown.  In  essence,  passive  safe  shutdown  systems  are  similar  to  storage  drums  with  HEPA 
filters;  that  is,  the  material  would  remain  in  its  steady-state  condition  and  be  confined  within  the 
boundaries  of  the  barriers  without  disturbance.  A  passive  safe  shutdown  system  may  consist  of 
the  facility  boundaries  (structure),  its  HEPA  filters,  and  its  penetrations,  along  with  any  double 
doors  or  airlocks.  No  active  system  is  needed  to  meet  the  intended  functional  requirements. 
Strict  operational  procedures  are  necessary  to  enforce  the  allowed  operational  mode.  Special 
procedures  are  also  needed  to  terminate  the  nonactive  operational  mode  and  return  to  the  normal 
operational  mode. 

Conceptually,  the  use  of  a  passive  ventilation  system  is  logical  and  attractive.  However, 
actual  implementation  and  operation  of  the  system  is  laden  with  many  uncertainties  such  that, 
from  a  safety  perspective,  its  disadvantages  outweigh  its  advantages. 

The  first  difficulty  associated  with  this  concept  centers  on  the  integrity  of  the 
confinement  boundary.  The  system  must  be  capable  of  performing  its  confinement  function 
under  all  plausible  upset  or  design  basis  accident  conditions.  The  structural  features  of  the 
boundary  must  therefore  be  capable  of  withstanding  these  conditions.  It  is  also  necessary  to 
consider  preexisting  exhaust  paths,  such  as  door  cracks  and  penetrations,  or  those  paths  created 
as  a  result  of  actions  taken  during  an  accident,  such  as  emergency  crew  members  entering  or 
facility  workers  evacuating  the  building. 

The  challenge  of  accurately  calculating  the  passive  leakage  is  the  second  problem 
resulting  from  the  use  of  passive  confinement.  Predicting  the  amount  of  release  under  passive 
confinement  conditions  can  be  quite  complex.  Fire  or  explosions  could  add  energy  to  the 
facility’s  atmosphere  and  introduce  a  motive  force  that  could  carry  hazardous  materials  through 
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an  exhaust  path.  In  addition,  quantifying  the  leakage  area  that  exists  in  a  facility,  which  is 
analogous  to  the  periodic  containment  leak  rate  tests  required  at  commercial  nuclear  reactors, 
although  possible,  is  not  easily  and  accurately  accomplished  at  nuclear  processing  facilities. 
Therefore,  determination  of  the  amount  of  radioactive  material  that  could  escape  the  facility 
becomes  very  complex  and  uncertain.  The  following  list  illustrates  a  number  of  complications 
that  prevent  safety  analysts  from  estimating  the  consequences  of  potential  events  to  workers  or 
the  public  with  any  degree  of  accuracy: 

•  Airborne  contaminants  would  travel  throughout  the  facility  following  the  path  of  least 
resistance  and  under  the  event’s  dynamic  forces,  which  generally  cannot  be  analyzed 
realistically  (e.g.,  smoke  and  hot  gases,  pressure  waves,  or  external  parameters  such 
as  wind). 

•  Facility  workers  might  use  any  number  of  emergency  exits  to  evacuate  the  facility, 
thus  allowing  the  radioactive  material  to  be  released  in  an  undeterminable  fashion. 

•  The  emergency  crew  and  security  personnel  might  access  the  facility  from  outside  for 
an  indefinite  amount  of  time,  allowing  air  containing  the  radioactive  materials  to 
leave  the  building  unfiltered. 

•  The  uncontrolled  spread  of  radioactive  material  in  the  facility  could  jeopardize  the 
future  use  of  the  facility,  interfering  with  its  national  security  mission,  as  well  as 
resulting  in  potential  worker  safety  issues  during  facility  recovery  and/or 
decontamination  activities. 

•  Environmental  postaccident  sampling  and  monitoring  would  not  be  possible  because 
of  the  unknown  location  of  release,  amount  of  release,  and  rate  of  volumetric  release. 

•  Consequences  to  the  public  could  approach  unmitigated  values,  since  this 
confinement  system  would  allow  the  unfiltered  release  of  air  bearing  an 
undeterminable  amount  of  radioactive  material  to  the  outside  until  the  airborne 
material  had  settled  or  been  removed  by  forced  interception  (e.g.,  active  ventilation  or 
cleanup  activities). 

Recent  attempts  by  DOE  and  its  operating  contractors  to  quantify  accurately  the  amount 
of  hazardous  material  released  from  a  passive  confinement  system  after  an  accident  have  been 
unsuccessful.  To  this  end,  the  contractors  have  used  elaborate  computer  programs,  capable  of 
modeling  the  facility  as  dozens  of  volumes  with  hundreds  of  connecting  junctions  to  represent  its 
openings.  They  have  combined  several  different  computer  programs  to  model  the  phenomena 
that  one  program  alone  could  not  handle.  The  uncertainties  of  these  analyses,  however,  are  so 
high  that  a  conservative  estimate  of  the  public  dose  could  become  a  significant  fraction  of  an 
unmitigated  release. 
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The  attempts  to  quantify  the  amount  of  hazardous  material  released  have  also  given  rise 
to  a  further  disturbing  issue:  DOE’s  25  rem  evaluation  guideline  has  been  used  as  the  measure 
of  success  in  the  performance  of  passive  confinement  systems.  The  25  rem  evaluation  guideline 
was  not  intended  to  be  used  as  a  design  criterion  for  exposure  to  the  public.  The  25  rem 
evaluation  guideline  was  identified  as  a  measure  for  determining  when  there  is  a  need  for 
safety-class  controls.  Several  defense  nuclear  facilities  for  which  passive  confinement  systems 
recently  have  been  proposed  have  unmitigated  off-site  consequences  many  times  greater  than  25 
rem. 


The  following  case  study  illustrates  some  of  these  issues  and  uncertainties. 


2.3  CASE  STUDY  FOR  PASSIVE  STRUCTURAL  CONFINEMENT 

The  documented  safety  analysis  prepared  for  a  plutonium  processing  facility  used  a 
passive  structural  confinement  system  to  demonstrate  that  a  safety-class  active  confinement 
ventilation  system  was  not  needed.  The  document  was  submitted  to  DOE  to  comply  with  the 
requirements  of  the  Nuclear  Safety  Management  Rule  (10  CFR  830).  For  a  fire  scenario,  the 
unmitigated  consequence  at  the  site  boundary  exceeded  the  evaluation  guideline  of  25  rem  by 
more  than  an  order  of  magnitude.  The  operating  contractor  calculated  a  building  leak  path  factor 
(LPF)1  of  about  1.6  percent  to  show  that  the  mitigated  consequences  of  about  3  rem  would  be 
acceptable,  while  crediting  the  passive  confinement  features  as  safety-class.  Prior  calculations 
for  this  facility  with  no  assumed  LPF  and  using  an  active  ventilation  system  yielded  site 
boundary  dose  consequences  4  to  8  orders  of  magnitude  smaller  (i.e.,  almost  0  rem)  because  of 
the  HEPA  filtration. 

The  LPF  analysis  was  based  on  calculations  performed  in  1996  and,  more  recently,  an 
alternative  method  using  the  MELCOR  computer  program  to  model  the  facility  as  37  volumes  or 
nodes  and  122  junctions.  The  computer  analysis  resulted  in  a  calculated  LPF  of  1 .6  percent. 
However,  the  computer  analysis  was  fraught  with  a  number  of  uncertainties  and 
nonconservatisms . 

MELCOR  was  originally  written  for  analysis  of  core  melt  accidents  at  commercial 
nuclear  power  plants,  and  is  capable  of  solving  mass  and  energy  transfer  equations,  thereby 
making  it  possible  to  follow  the  transport  of  airborne  materials  through  volumetric  nodes  and 
junctions.  The  computer  program  cannot,  however,  analyze  a  fire  scenario  and  must  be 
manipulated  externally  by  providing  the  temperature  rise  from  a  fire  as  input  to  the  code. 
Another  computer  program  must  be  used  to  model  a  fire.  The  contractor  used  CFAST  for  this 
purpose. 


t 


LPF  is  the  percentage  of  the  airborne  material  that  leaves  the  facility  and  reaches  the  environment. 
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CFAST  is  a  two-zone  model  used  to  calculate  the  evolving  distribution  of  smoke  and  fire 
gases  and  the  temperature  throughout  a  building  during  a  fire.  Its  use  involves  solving  a  set  of 
equations  that  predict  state  variables  (e.g.,  pressure  and  temperature)  based  on  the  enthalpy  and 
mass  flux  over  small  increments  of  time.  CFAST  does  not  include  a  burning-rate  model  to 
predict  fire  growth,  so  the  user  must  specify  the  initial  burning-rate,  as  well  as  any  variations  due 
to  changing  room  conditions.  This  can  have  a  significant  impact  on  the  accuracy  of  the  resulting 
calculation.  Further,  burning  can  take  place  in  several  areas  of  the  building,  an  effect  that 
CFAST  does  not  model.  For  a  fire  with  sufficient  available  oxygen,  the  burning  will  all  take 
place  within  the  fire  plume.  For  a  fire  in  which  oxygen  in  the  fire  plume  is  limited  because  of 
ventilation  restrictions,  burning  will  take  place  where  there  is  sufficient  oxygen.  Under  this 
condition,  unbumed  fuel  in  the  plume  will  successively  move  into,  and  bum  in,  the  upper  layer 
of  the  fire  room,  the  doorway  to  the  next  room,  the  upper  layer  of  the  next  room,  the  doorway  to 
the  third  room,  and  so  forth,  until  it  is  consumed  or  reaches  the  outside.  This  phenomenon  can 
introduce  significant  uncertainty  into  the  results. 

Simply  stated,  in  this  case  study,  CFAST  was  used  to  calculate  the  temperature  increase, 
while  MELCOR  followed  the  transfer  of  airborne  contaminants  due  to  the  expansion  of  the  air 
with  the  rise  in  temperature.  The  MELCOR  computer  program  is  not  capable  of  calculating 
increases  in  the  building  pressure  due  to  the  fire  products.  Other  potential  interface  issues  such 
as  changing  fire  and  ventilation  conditions  (e.g.,  fuel  burning  in  adjacent  compartments)  cannot 
be  addressed  in  a  simple  manner.  Finally,  the  combination  of  the  two  programs,  each  designed 
for  a  specific,  independent  purpose,  requires  a  significantly  greater  number  of  external  analytical 
manipulations,  which  can  introduce  substantial  uncertainty  into  the  results.  The  number  of 
sensitivity  analyses  required  to  arrive  at  a  conservative  value  using  such  a  concatenation  quickly 
becomes  prohibitive. 

The  communication  paths  between  the  volumes  (e.g.,  rooms  and  laboratories),  including 
those  connecting  the  volumes  to  the  outside  (such  as  door  gaps)  were  analyzed  using  assumed 
values.  Many  unconservative  values  were  included  in  these  assumptions — openings  to  the 
outside  (e.g.,  penetrations)  were  not  taken  into  account,  and  several  credited  door  seals  did  not 
exist.  The  fact  is  that  building  leak  paths  during  an  accident  cannot  reliably  be  predetermined 
numerically  on  the  basis  of  facility  conditions  during  normal  operations. 

The  fire  scenarios  were  modeled  for  an  event  duration  of  about  2  hours.  However, 
because  of  the  diurnal  effects  of  the  sun  and  the  facility’s  breathing  as  the  inside  and  outside 
temperature  varies  over  time,  motive  forces  capable  of  driving  hazardous  materials  out  of  the 
facility  continue  to  exist  well  beyond  the  assumed  2-hour  limit.  Such  phenomena  will  continue 
to  direct  airborne  contaminants  out  to  the  environment  until  the  contaminants  are  settled  by 
gravity  (i.e.,  the  heavier  particles)  or  removed  by  other  means  (e.g.,  active  ventilation  or  cleanup 
efforts).  Diurnal  effects  on  building  leakage  cannot  realistically  be  determined  using  the  two 
computer  models  discussed  above,  and  their  estimation  would  require  the  introduction  of  yet 
another  model  or  estimation  technique.  This  would  further  increase  the  complexity  and 
uncertainty  of  the  results. 
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The  1.6  percent  LPF  analysis  does  not  appear  to  have  conservatively  modeled  the 
potential  impact  of  the  external  wind  on  transporting  hazardous  material  out  of  the  building.  In 
the  analysis,  the  external  force  of  the  wind  was  exerted  on  the  side  of  the  building  with  the 
largest  openings  (e.g.,  an  open  emergency  exit  door)  for  some  scenarios,  thus  minimizing  (or  not 
allowing)  the  escape  of  hazardous  material  from  the  facility.  On  the  other  hand,  the  effect  of 
external  wind  on  the  building  was  not  modeled  at  all  for  some  more  energetic  events,  such  as 
fire. 


Finally,  although  emergency  evacuation  of  the  facility  workers  was  modeled  in  some 
analyses  (spill  events),  a  sensitivity  analysis  was  not  performed  on  the  timing  of  the  evacuation 
(e.g,  opening  the  room  doors  at  the  same  time  as  the  building  emergency  exit  doors).  On  the 
other  hand,  the  emergency  evacuation  of  the  building  was  not  modeled  for  more  energetic  events 
such  as  fire. 

Based  on  these  nonconservative  analyses,  additional  inquiry  was  made  to  determine  a 
more  conservative  value  for  the  building  LPF.  It  was  shown  that  a  fire  event  in  one  of  the  rooms 
would  result  in  an  LPF  of  25  percent  or  more.  This  analysis,  however,  did  not  consider  the 
impact  of  the  opening  of  the  emergency  doors  by  facility  workers  and  its  effect  on  the  LPF 
value.  It  is  estimated  that  such  considerations  could  increase  the  calculated  value  of  LPF  to  40 
or  60  percent. 

As  demonstrated  above,  the  analytical  calculation  of  a  value  for  the  unfiltered  leakage 
from  a  passive  structural  confinement  system  can  be  highly  speculative.  Such  a  calculation  is 
likely  dominated  by  the  uncertainties  and  limitations  of  the  computer  programs  and  analytical 
tools  used  and  is  incapable  of  analyzing  all  the  important  phenomena  involved  and  the  impact  of 
the  controlling  parameters.  Furthermore,  it  is  generally  impossible  to  model  the  conditions  of  a 
real  accident  because  of  the  uncertain  behavior  of  the  workers  and  the  emergency  crew 
responding  to  the  event.  Given  these  analytical  uncertainties,  a  conservative  estimate  of  the 
public  dose  for  such  a  confinement  system  could  be  more  than  60  percent  of  the  unmitigated 
event. 
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3.  EVOLUTION  OF  CONFINEMENT  REQUIREMENTS 


The  U.S.  Atomic  Energy  Commission  issued  Regulatory  Guide  3.12,  General  Design 
Guide  for  Ventilation  Systems  of  Plutonium  Processing  and  Fuel  Fabrication  Plants,  in  August 
1973.  It  sets  forth  expectations  for  the  design  of  a  ventilation  system  that,  if  satisfied,  would 
meet  the  requirements  of  10  CFR  70  that  “applicant’s  proposed  equipment  and  facilities  are 
adequate  to  protect  health  and  minimize  danger  to  life  or  property.”  Regulatory  Guide  3.12 
considers  ventilation  systems  to  be  “important  to  safety  because  they  serve  as  principal 
confinement  barriers  in  a  multiple  confinement  barrier  system  which  guards  against  the  release 
of  radioactive  or  other  potentially  dangerous  materials”  and  presents  the  regulatory  position  that 
“ventilation  systems  should  assure  the  confinement  of  hazardous  materials  during  normal  or 
abnormal  conditions  including  natural  phenomena,  fire,  and  explosions.”  The  guide  states  that 
“the  systems  must  continue  to  perform  their  safety  functions  effectively  under  all  conditions  by 
confining  radioactive  or  other  potentially  dangerous  materials.” 

A  similar  approach  was  adopted  by  DOE  in  its  General  Design  Criteria  Manual — DOE 
Order  6430. 1  (issued  in  December  1983)  and  its  revision  DOE  Order  6430. 1 A  (issued  in  April 
1989).  This  manual  recommends  a  three-layer  approach  to  achieving  confinement  objectives: 

•  Primary  confinement — to  be  provided  by  piping,  tanks,  gloveboxes,  encapsulating 
material,  and  any  off-gas  system  that  controls  effluent  from  within  the  primary 
confinement. 

•  Secondary  confinement — to  be  provided  by  walls,  floors,  roofs,  and  associated 
ventilation  exhaust  systems  of  the  facility. 

•  Tertiary  confinement— to  be  provided  by  walls,  floors,  roofs,  and  associated 
ventilation  exhaust  systems  of  the  facility. 

DOE  Order  6430.1  A  required  that  the  confinement  system,  defined  as  a  composite  of  the 
structure  and  its  associated  ventilation  systems,  remain  “fully  functional  following  any  credible 
DBA  [design  basis  accident],”  and  stated  that  “unfiltered/unmitigated  release  of  hazardous  levels 
of  such  materials  shall  not  be  allowed  following  such  accidents.”  It  also  required  that  design 
professionals  consider  the  criteria  presented  in  Regulatory  Guide  3.12  for  applicability  to 
plutonium  processing  and  handling  facilities. 

In  an  effort  to  overhaul  its  directives  system,  in  1995  DOE  issued  DOE  Order  420. 1, 
Facility  Safety,  which  superceded  DOE  Order  6430. 1 A.  The  requirements  in  this  new  Order, 
however,  were  not  as  prescriptive,  and  design  requirements  were  left  to  be  determined  by  safety 
analysis  reports  that  would  establish  the  identification  and  functional  classification  (i.e.,  safety- 
class  and  safety-significant)  of  the  structures,  systems,  and  components  (SSCs)  for  a  facility. 

This  Order,  as  well  as  its  latest  revision,  DOE  Order  420. 1 A,  states  that  “non-reactor  nuclear 
facilities  shall  be  designed  with  the  objective  of  providing  multiple  layers  of  protection  to 
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prevent  or  mitigate  the  unintended  release  of  radioactive  materials  to  the  environment.”  It  states 
further  that  “defense  in  depth  shall  include:  siting  . . . ;  the  use  of  successive  physical  barriers 
for  protection  against  the  release  of  radioactivity; . .  .  and  to  confine  and  mitigate  radioactivity 
associated  with  the  potential  for  accidents  with  significant  public  radiological  impact.”  The 
Order  no  longer  prohibits  the  unmitigated  accidental  release  of  hazardous  materials,  and  relies  on 
the  safety  analysis  process  to  demonstrate  adequate  protection  of  the  public  and  workers. 
However,  the  Order  does  state  that  “all  nuclear  facilities  with  uncontained  radioactive  materials 
(as  opposed  to  material  contained  within  drums,  grout,  and  vitrified  materials)  shall  have  means 
to  confine  them.” 

In  a  letter  to  DOE  dated  July  8,  1999,  the  Board  expressed  its  belief  that  this  general 
approach  for  identification  of  safety  systems  was  reasonable  “provided  that  it  is  made  quite  clear 
that  the  25  rem  evaluation  guideline  is  not  to  be  treated  as  a  design  acceptance  criterion  . . . 

The  Board  further  emphasized  that,  consistent  with  the  requirements  of  DOE  Order  420.1,  the 
design  of  Hazard  Category  2  and  3  nonreactor  nuclear  facilities  should  be  based  on  confining  the 
hazardous  radioactive  material  during  normal  operation  and  potential  accidents.  The  Board  also 
noted  that  confinement  systems  should  be  classified  as  safety-class  or  safety-significant  SSCs. 

In  January  2001,  DOE  issued  Subpart  B  of  10  CFR  830.  It  required  contractors  to 
establish  a  safety  basis  for  Hazard  Category  1,  2,  and  3  nuclear  facilities  in  accordance  with  its 
requirements  and  to  perform  work  in  accordance  with  the  hazard  controls  identified  therein.  For 
new  facilities  or  major  modifications,  the  rule  requires  contractors  to  use  the  safety  design 
criteria  identified  in  DOE  Order  420.1  or  obtain  DOE  approval  of  their  proposed  criteria.  The 
rule  identifies  the  methodology  presented  in  DOE’s  Preparation  Guide  for  U.S.  Department  of 
Energy  Nonreactor  Nuclear  Facility  Documented  Safety  Analyses  (DOE-STD-3009-94)  as  a  safe 
harbor  for  performing  safety  analyses  for  new  facilities  and  major  modifications,  as  well  as  for 
existing  facilities.  It  should  be  noted  that  this  methodology  was  originally  developed  for 
preparation  of  safety  bases  for  existing  facilities,  and  its  application  to  new  facilities  should  be 
limited  to  its  format  and  content  guidance.  In  other  words,  the  design  requirements  identified  in 
DOE  Order  420. 1  must  be  met  and  demonstrated  through  the  safety  analyses  that  are  prepared  in 
accordance  with  DOE-STD-3009-94. 

The  methodology  presented  in  DOE-STD-3009-94  is  hazards-based.  That  is,  based  on 
the  significance  of  unmitigated  consequences  to  the  public  and  workers,  safety-class  or  safety- 
significant  SSCs  should  be  identified  to  prevent  or  mitigate  events.  This  approach  does  not 
override  the  requirement  of  DOE  Order  420.1 A  that  “all  nuclear  facilities  . . .  shall  have  means 
to  confine”  the  hazards.  The  requirements  of  the  Order  must  be  met,  and  the  methodology  from 
the  standard  should  be  used  to  designate  a  safety  classification  for  the  confinement  system. 

DOE-STD-3009-94  does  not  require  identification  of  a  safety-related  active  confinement 
ventilation  system.  It  only  implies  that  such  a  system  is  part  of  the  safety  philosophy  and 
defense  in  depth  for  a  facility,  and  requires  specific  discussion  of  such  a  system  in  Chapter  2, 
“Facility  Description,”  of  the  documented  safety  analysis.  The  standard  further  states  that  “the 
handling  of  plutonium  in  a  facility  with  gloveboxes,  ventilation  zones  of  confinement,  and 
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HEPA  filters  . . .  would  be  adequate  for  closure  of  environmental  contamination  concerns.”  In  a 
discussion  aimed  at  identifying  safety-class  SSCs,  the  standard  states,  “For  existing  DOE  non¬ 
reactor  nuclear  facilities,  some  safety  systems  may  already  be  known  and  designated  as  such 
(e.g.,  fire  protection  systems  and  confinement  systems,  which  include  HEPA  filtration).  Some 
SC  [safety-class]  designations  for  such  safety  system[s]  may  also  be  self  evident.”  The  standard 
stops  short  of  explicitly  requiring  a  safety-class  active  confinement  ventilation  system. 

Although  the  use  of  multiple  barriers,  defense  in  depth,  and  confinement  of  hazards  is 
discussed  in  the  DOE  directives,  there  is  sufficient  ambiguity  in  the  requirements  to  allow 
contractors  to  deviate  from  having  to  identify  a  safety-related  active  confinement  system. 
Furthermore,  the  DOE  directives  are  not  integrated.  For  example: 

•  The  requirements  for  radiological  postaccident  monitoring  do  not  appear  in  the  safe 
harbors  of  the  Nuclear  Safety  Management  Rule. 

•  The  guidance  for  building  reentry  after  an  accident  and  for  postaccident  recovery  is 
not  related  to  preparation  of  the  documented  safety  analyses. 

•  There  are  no  DOE  requirements  for  protection  of  a  facility’s  mission,  as  it  relates  to 
national  security  or  nuclear  material  stabilization,  that  should  be  considered  in 
preparation  of  the  safety  bases  or  design  of  a  new  facility. 

•  The  emergency  response  procedures  and  safeguards  and  security  practices  are  not 
clearly  linked  to  the  accident  analyses. 

•  Although  the  documented  safety  analyses  are  required  to  include  discussion  of  the 
decontamination  and  decommissioning  of  the  facility,  those  requirements  relate  to  the 
final  end  state  of  the  facility  and  not  to  the  activities  that  would  be  carried  out  as  the 
result  of  an  accident. 

Consequently,  due  to  unclear  guidance  in  the  DOE  directives,  the  documented  safety 
analyses  and  subsequent  determinations  of  adequacy  of  the  confinement  systems  are  mainly 
focused  on  the  dose  at  the  site  boundary  should  an  accident  occur  and  do  not  reflect 
consideration  of  all  of  the  issues  discussed  above. 
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4.  CONCLUSIONS 


DOE’s  requirements  as  reflected  in  its  orders  and  standards  for  preparation  of  safety 
bases  appear  to  be  consistent  with  the  principles  of  Integrated  Safety  Management  advocated  by 
the  Board.  Those  requirements,  however,  have  been  implemented  using  a  variety  of  analytical 
methods  since  being  issued  almost  a  decade  ago.  It  appears  that  the  25  rem  public  dose 
evaluation  guideline  is,  in  some  instances,  being  used  as  a  design  criterion.  It  also  appears  that 
some  analysts  may  be  underestimating  the  complexity  of  problems  that  are  solved  analytically, 
ignoring  the  uncertainties  in  the  computational  results,  and  underestimating  the  potential  impact 
on  public  and  worker  health  and  safety.  The  safety  analyses  required  by  DOE  are  supposed  to  be 
an  estimate  and  illustration  of  how  the  requirements  are  met.  The  analyses  should  be  bounding, 
the  analytical  tools  must  be  pertinent  and  capable  of  predicting  the  results,  the  assumptions  ought 
to  be  practical,  and  the  uncertainties  of  the  analyses  should  be  accounted  for  in  the  design  and 
operational  procedures. 

Furthermore,  DOE’s  safety  requirements  for  the  preparation  of  safety  bases  are  aimed  at 
the  identification  of  controls  for  protection  of  the  public  and  workers  during  abnormal  events. 
They  are  not  well  integrated  with  other  needs,  and  in  some  cases  may  fail  to  encompass  all  of  the 
parameters  that  should  be  considered  in  designing  and  operating  a  nuclear  facility.  Postaccident 
recovery  and  building  reentry,  postaccident  monitoring  and  off-site  dose  measurements  for 
potential  worker  and  public  evacuation,  and  protection  of  the  mission  of  the  facility  are  just  some 
of  the  additional  parameters  that  should  play  an  important  role  in  deciding  which  type  of 
confinement  system  is  best  suited  for  a  defense  nuclear  processing  facility. 

This  report  has  demonstrated  that  the  application  of  passive  confinement  systems  for 
some  operational  events  at  defense  nuclear  processing  facilities  may  be  inappropriate.  An  active 
confinement  system  is  needed  to  ensure  the  safety  of  the  public  and  workers.  Such  a  system 
would  also  provide  for  some  other  DOE  needs  that  might  not  be  encompassed  by  the  safety 
analyses.  The  boundaries  of  such  systems  need  to  be  clearly  defined,  including  their  supporting 
systems,  the  power  supply,  and  instrumentation  and  controls.  The  guidance  provided  in 
Regulatory  Guide  3.12  and  adopted  in  the  cancelled  DOE  Order  6430.1  A  appears  to  set  a  solid 
foundation  for  the  design  and  operational  reliability  of  such  systems.  DOE  needs  to  provide 
additional  guidance  and  explicitly  state  its  policy  regarding  adequate  protection  of  the  public  and 
workers  by  mandating  a  safety-related  active  confinement  ventilation  system  for  those  defense 
nuclear  facilities  that  pose  the  potential  for  significant  radiological  consequences.  New  nuclear 
facilities  with  offsite  consequences  that  challenge  DOE’s  evaluation  guidelines,  in  particular, 
should  be  designed  with  a  safety  class  active  confinement  ventilation  system  backed  up  by  a 
passive  confinement  system. 
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